Return-Path: <sentto-279987-1467-995985326-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 24 Jul 2001 07:36:08 -0700 (PDT) Received: (qmail 1066 invoked by uid 510); 24 Jul 2001 13:38:03 -0000 Received: from n23.groups.yahoo.com (216.115.96.73) by 204.181.12.215 with SMTP; 24 Jul 2001 13:38:03 -0000 X-eGroups-Return: sentto-279987-1467-995985326-fc=all.net@returns.onelist.com Received: from [10.1.4.56] by ck.egroups.com with NNFMP; 24 Jul 2001 14:35:26 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-7_2_0); 24 Jul 2001 14:35:25 -0000 Received: (qmail 49197 invoked from network); 24 Jul 2001 13:51:07 -0000 Received: from unknown (10.1.10.26) by l10.egroups.com with QMQP; 24 Jul 2001 13:51:07 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 24 Jul 2001 13:51:07 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id GAA11701 for iwar@yahoogroups.com; Tue, 24 Jul 2001 06:51:07 -0700 Message-Id: <200107241351.GAA11701@big.all.net> To: iwar@yahoogroups.com In-Reply-To: <FMEBKCCNDNLCDGCDNJAOGEGHCAAA.jsforza@isrisk.net> from "John Sforza" at Jul 24, 2001 08:24:59 AM Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 24 Jul 2001 06:51:07 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: Re: [iwar] 21 club Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Per the message sent by John Sforza: > > > e.r. says: > > >" Most of its members are without a clue on IWAR and cyber-terrorism, and > > >the firm which they ran have all been victums[sic] of cybers attacks > > > already." > > Jim Says > > ..and your justification for this opinion is...? What substantiates the idea > > "21 CEOs" are worse then what currently exists? > John Says: > Among those individuals with enough 'name' to be taken seriously by private > and government entities, who hasn't had an experience with some form of > cyber attack. As to 'clue' these individual's need to lead the process - not > fight in the trenches and that requires vision. Perhaps a new set of > viewpoints would be productive. On the other hand I am reminded of the poem > 'The Blind Men and the Elephant' by John Godfrey Saxe (with credit of course > to it's Indian origin), it will be very difficult (Fred, how about a > probability model of group consensus here) if not impossible to define and > drive an effective cyber security policy with out a dominant leader and I am > not sure that Condoleezza Rice can provide that among other > responsibilities. I also have reservations regarding an 'all Federal' group, > let's let everybody play. Bottom line - 21 individuals in a room is either a > cocktail party or an unlawful assembly. Fred Says: [2^(i pi) / 17^23] /273.44323 = nothing of value. As far as I recall, the ideal size for a group in order to be effective is on the order of 4-7 - one of the reasons we choose groups of this size for most projects (or chunk the projects in to this many subgroups - recursively). A manager can supposedly manage 20 people effectively - so Condo should be able to handle that part of it. Without these agencies represented you are unlikely to have the concensus you need to get things to work in the government anyway, but that isn't really the issue at all and never has been. They were all consulted (for certain) by Mr. Clark. The issue is whether Ms. Rice can effectively deal with this issue at this level while also dealing with the many other issues she has to deal with. She could presumable manage 20 people if that was all she was doing - but it's not. The question is whether the US needs a single, full-time top-level manager in charge of this issue. Bush thinks not. My experience and the history of the last many years has shown that companies and organizations that do not have a high quality top level person in charge of this function tend to have poorly coordinated programs and tend to be less efficient, less effective, and more susceptible to high consequence incidents. For effective organizations this spreads down the organizational structure recursively so that something like 5% of the IT effort is oriented toward information protection. In other workds, if the US government had a CIO, 1 of the 20 people reporting to them should be a top-level full-time information protection manager. This should hold for every other level of management and staff involved in using computers to do their jobs. So if there were 40 million federal employee hours per week spent using computers, there should be 2 million employee hours per week spent in information protection. This figure includes systems and network administration tasks as well as 'computer security' tasks - which can not realistically be separated. Just my view. FC -- Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225 Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171 Fred Cohen - Practitioner in Residence - The University of New Haven This communication is confidential to the parties it is intended to serve. PGP keys: https://all.net/pgpkeys.html - Have a great day!!! ------------------------ Yahoo! Groups Sponsor ---------------------~--> Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide "Securing Your Web Site for Business." Get it now! http://www.verisign.com/cgi-bin/go.cgi?a=n094442340008000 http://us.click.yahoo.com/6lIgYB/IWxCAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:37 PDT